来自 saml 响应的 opensaml 3 签名为空
opensaml 3 signature from saml response is null
嗨,我收到了这条错误消息:
net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Signature was null
验证来自 Azure AD 的 SAML 响应。
出于测试目的,我将响应文件保存为 xml 并找到了一个标签:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_97031c65-0139-4047-a416-9495df5d6ed7">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
KMaFHRt8inqVYsMGKnAryKUTQUbYGPUDPxdvj6T08OQ=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
.....
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
....
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
我解组 XML 响应:
InitializationService.initialize();
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
String content = new String(Files.readAllBytes(Paths.get("saml_response_azure.xml")));
Document document = docBuilder.parse(new ByteArrayInputStream(content.trim().getBytes()));
Element element = document.getDocumentElement();
Unmarshaller unmarshaller = XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(element);
Response response = (Response) unmarshaller.unmarshall(element);
错误被丢弃在:
Signature signature = response.getAssertions().get(0).getSignature() // returns null
SAMLSignatureProfileValidator profValidator = new SAMLSignatureProfileValidator();
profValidator.validate(signature);
好的,我想我找到了,看起来您没有向 POM 添加任何实现依赖项。当我使用您的 POM 并包含此依赖项时,我得到了签名对象。
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-impl</artifactId>
<version>3.2.0</version>
</dependency>
依赖项的模块化结构与 OpenSAML 版本 2 有很大不同。
嗨,我收到了这条错误消息:
net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Signature was null
验证来自 Azure AD 的 SAML 响应。
出于测试目的,我将响应文件保存为 xml 并找到了一个标签:
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_97031c65-0139-4047-a416-9495df5d6ed7">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>
KMaFHRt8inqVYsMGKnAryKUTQUbYGPUDPxdvj6T08OQ=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
.....
</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
....
</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
我解组 XML 响应:
InitializationService.initialize();
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder();
String content = new String(Files.readAllBytes(Paths.get("saml_response_azure.xml")));
Document document = docBuilder.parse(new ByteArrayInputStream(content.trim().getBytes()));
Element element = document.getDocumentElement();
Unmarshaller unmarshaller = XMLObjectProviderRegistrySupport.getUnmarshallerFactory().getUnmarshaller(element);
Response response = (Response) unmarshaller.unmarshall(element);
错误被丢弃在:
Signature signature = response.getAssertions().get(0).getSignature() // returns null
SAMLSignatureProfileValidator profValidator = new SAMLSignatureProfileValidator();
profValidator.validate(signature);
好的,我想我找到了,看起来您没有向 POM 添加任何实现依赖项。当我使用您的 POM 并包含此依赖项时,我得到了签名对象。
<dependency>
<groupId>org.opensaml</groupId>
<artifactId>opensaml-saml-impl</artifactId>
<version>3.2.0</version>
</dependency>
依赖项的模块化结构与 OpenSAML 版本 2 有很大不同。